rspec/rules/S5876/javascript/how-to-fix-it/passportjs.adoc

== How to fix it in Passport

=== Code examples

Upon user authentication, it is crucial to regenerate the session identifier to prevent fixation attacks. Passport provides a mechanism to achieve this by using the `req.session.regenerate()` method. By calling this method after successful authentication, you can ensure that each user is assigned a new and unique session ID.

==== Noncompliant code example

[source,javascript,diff-id=1,diff-type=noncompliant]
----
app.post('/login', 
  passport.authenticate('local', { failureRedirect: '/login' }),
  function(req, res) {
    // Noncompliant - no session.regenerate after login
    res.redirect('/');
  });
----

==== Compliant solution

[source,javascript,diff-id=1,diff-type=compliant]
----
app.post('/login', 
  passport.authenticate('local', { failureRedirect: '/login' }),
  function(req, res) {
    let prevSession = req.session;
    req.session.regenerate((err) => {
      Object.assign(req.session, prevSession);
      res.redirect('/');
    });
  });
----

=== How does this work?

include::../../common/fix/new-session.adoc[]